Healthcare Compliance Perspective:
Healthcare providers must ensure that any documentation containing Protected Health Information be destroyed promptly when it is no longer needed by shredding or placing the information in a secure recycling or shredding bin until the time that it is destroyed.
The identity of whoever dumped the records has not been discovered; however, the names of three physicians were identified along with the names, addresses, birth dates, social security numbers, driver’s license numbers and medical histories of a number of women.
One of the women contacted was appalled that such personal medical information would be handled so carelessly. The record with her name on it said, “Patient has a history of herpes.” Another woman’s information had “High risk of HPV” boldly written across the top of the page.
The three physicians identified all denied being currently employed by the women’s health center, and all three vehemently denied having any access to the patients’ records or knowledge about how they were discarded.
The Health Insurance Portability and Accountability Act (HIPAA) requires that private health information (PHI) should not be discarded in public receptacles unless they have been made unreadable or indecipherable. HIPAA also requires that healthcare facilities have an appropriate plan in place for disposing of any medical records. Acceptable methods include, shredding, burning, pulverizing or turning into pulp; and, it is not acceptable to dump legible medical records in a public area.
The Department of Health and Human Services’ website reports that the consequences of violating HIPAA requirements includes fines of $100 for unintentional violations up to $50,000 for willfully neglecting to dispose of the medical records according to legal requirements.
An official investigation into this incident has not been confirmed by state officials.